Nmap/nsock based port scanning

From SecWiki
Jump to: navigation, search

Checking out the code

Checking out the nmap-nsock-scan branch works exactly the same way it does for the rest of the branches. Just run:

svn co 'https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-scan'
cd nmap-nsock-scan

Getting the reviewable diff

Most of the new code is in nsock_scan.cc. There are also modifications to both the Unix and Windows build system and some extra debug code in timing.cc. I plugged in my new scanning code in nmap.cc. Nsock is also modified, with added TTL and connection lingering support. I also backported Henri's r32877 patch to Nsock . To filter it out of the diff, use the following command line:

git svn clone 'https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-scan'
cd nmap-nsock-scan
FIRST_COMMIT=`git log . | grep 'commit' | tail -n1 | cut -d' ' -f2`
R32877_COMMIT=`git log --format=oneline . | grep r32877 | cut -f1 -d' '`
git diff "$R32877_COMMIT..$R32877_COMMIT^" | patch -Np1
git commit -a -m "Reversing r32877. Don't push this commit."
git diff $FIRST_COMMIT.. .

Using the scanner

Currently the nsock scanning starts in only in -sT TCP connect() mode. To run the scan, issue any command that would result in -sT scanning, such as:

nmap -sT scanme.nmap.org
nmap scanme.nmap.org # if run without privileges
nmap --unprivileged scanme.nmap.org

To see if the nsock scanner kicked in, add -d to the command line to enable debugging output and look for the following line:

nsock_scan() begins.

What works

Feature Status Automated testing Comments
Basic port scanning Implemented A scan to scanme.nmap.org There is no probe_bench equivalent implemented.
Basic retransmissions Implemented Separate scapy script
Probe canaries Mostly implemented There is no canary scoring and global canaries
Progress updates Implemented Uses a slightly different formula
Congestion control Mostly implemented Most of the code is already there, but it does not behave the same way Nmap does
RTT detection Implemented Not tested
Rate limit detection Not implemented
Linux self-connect bug workaround Implemented

Proxy scanning problems

It is currently not possible to use Nsock proxy support for port scanning due to a bug. To trigger it, add the following code after the "nsp_setdevice(nsp, o.device);" line:

if (o.proxy_chain) {
  nsp_set_proxychain(nsp, o.proxy_chain);

Also, in NsockTCPScanEngine::statusToPortState, find "*should_return = true;" and add the following lines below:

} else if (status == NSE_STATUS_PROXYERROR) {
   *port_state = PORT_FILTERED;
   *reason_id = ER_NORESPONSE;

If you compiled the code and tried to run it using the "ncat -l --proxy-type http -p 3128 -v & sleep 1 ; ./nmap --proxies http://localhost:3128 -sT localhost", you would get the following error:

nmap: nsock_scan.cc:1023: bool NsockHostScanStats::sendOK(timeval*, long unsigned int*): Assertion `since_last_sent >= 0' failed.

The last_sent is a bit in the future, but if we wanted assume that it's a gettimeofday() problem and reset it to the current time, we could do the following after "assert(when_ok != NULL);":

if (TIMEVAL_BEFORE(*now, last_sent))
  last_sent = *now;

Now, we get either a segmentation fault error or the following message:

Trying to delete NSI, but could not find 1 of the purportedly pending events on that IOD.

Regression testing

See Nmap/Regression_testing.